Compliance status

What is in place. What is in progress. What is pending.

This is Rōvn's living public compliance snapshot. We update it as evidence is added or status changes. Sales is not allowed to claim more than what is on this page. Customers and prospective investors can request the underlying evidence binder under NDA.

HIPAA program

Control area	Status	Evidence
AWS Business Associate Addendum (BAA) accepted on Rōvn account	In place	AWS Artifact
HIPAA-eligible AWS foundation (private VPC, KMS, CloudTrail, GuardDuty, Security Hub, AWS Backup)	In place	Evidence binder · AWS console screenshots
RDS PHI Postgres (private, encrypted, deletion protection, backup policy)	In place	`rovn-prod-phi-postgres`
Backup + verified restore drill	In place	Restore evidence in PHI evidence vault
Nurse consent ledger + signed packet release events	In place	Migration `017_rovn_ready_requirements_evidence.sql`
Formal HIPAA Security Risk Assessment	In progress	Target: pre-PHI prod cutover
Vendor BAA / DPA inventory and signed sub-processor agreements	In progress	AWS, Persona, Checkr, NPDB, Nursys + others
Formal HIPAA policies (privacy, security, breach, sanctions, training)	In progress	Workforce acknowledgements pending
Quarterly access review evidence	In progress	First review scheduled
Incident response runbook + tabletop exercise	In progress	First tabletop scheduled
Production secrets fully migrated to Secrets Manager / SSM	In progress	Migration in flight
Reviewed production application image in ECR + ECS service enabled	Pending review	ECS desired count 0 by design
Production traffic connected to PHI backend	Pending	Will not enable until program above is complete
Independent third-party HIPAA assessment	Planned	Post-Series-A
SOC 2 Type I readiness	Planned	Vendor selected after first paying facilities

Verification and credentialing data

Capability	Status	Source
NPDB registration	Registered	DBID 399700000147857 · pending notarized doc upload
Nursys e-Notify	Live	e-Notify production
OIG / SAM exclusion screening	In place	Continuous screening
Identity verification (Persona)	In integration	Vendor BAA tracked
Background check (Checkr)	In integration	Vendor agreement tracked
State BON primary-source query	In progress	Per-state coverage tracked

Privacy and consumer rights

Privacy Policy: /privacy
Terms of Service: /terms
State-specific rights (CA, CO, CT, VA, UT and others) honored on request to privacy@rovn.to.
Nurse packet release requires explicit consent. Nurses can revoke release at any time.

Asks under NDA

Customers and qualified investors can request:

The current evidence binder (AWS console exports, KMS / VPC / CloudTrail screenshots, restore drill receipt).
The data flow diagram and PHI inventory.
The vendor sub-processor list with BAA / DPA status per vendor.
The current Risk Assessment status and remediation plan.

Send the request to security@rovn.to.

Last updated 2026-04-25. Owner: Rovn LLC, CEO Giles-Evan Mboumi.